templates/web.letsencrypt.ssl.template.yml

   1 env:
   2   LETSENCRYPT_DIR: "/shared/letsencrypt"
   3
   4 hooks:
   5   after_ssl:
   6     - exec:
   7        cmd:
   8          - if [ -z "$LETSENCRYPT_ACCOUNT_EMAIL" ]; then echo "LETSENCRYPT_ACCOUNT_EMAIL ENV variable is required and has not been set."; exit 1; fi
   9          - /bin/bash -c "if [[ ! \"$LETSENCRYPT_ACCOUNT_EMAIL\" =~ ([^@]+)@([^\.]+) ]]; then echo \"LETSENCRYPT_ACCOUNT_EMAIL is not a valid email address\"; exit 1; fi"
  10
  11     - exec:
  12        cmd:
  13          - cd /root && git clone https://github.com/Neilpang/acme.sh.git && cd /root/acme.sh && git reset --hard ac0970abbad9390f9ab5e99f7f4043502d40eafa
  14          - touch /var/spool/cron/crontabs/root
  15          - install -d -m 0755 -g root -o root $LETSENCRYPT_DIR
  16          - cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --install --log "${LETSENCRYPT_DIR}/acme.sh.log"
  17          - cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --upgrade --auto-upgrade
  18
  19     - file:
  20        path: "/etc/nginx/letsencrypt.conf"
  21        contents: |
  22         user www-data;
  23         worker_processes auto;
  24         daemon on;
  25
  26         events {
  27           worker_connections 768;
  28           # multi_accept on;
  29         }
  30
  31         http {
  32           sendfile on;
  33           tcp_nopush on;
  34           tcp_nodelay on;
  35           keepalive_timeout 65;
  36           types_hash_max_size 2048;
  37
  38           access_log /var/log/nginx/access.letsencrypt.log;
  39           error_log /var/log/nginx/error.letsencrypt.log;
  40
  41           server {
  42             listen 80;
  43             listen [::]:80;
  44
  45             location ~ /.well-known {
  46               root /var/www/discourse/public;
  47               allow all;
  48             }
  49           }
  50         }
  51
  52     - file:
  53        path: /etc/runit/1.d/letsencrypt
  54        chmod: "+x"
  55        contents: |
  56           #!/bin/bash
  57           /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
  58
  59           LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 -w /var/www/discourse/public
  60
  61           if [ ! "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]; then
  62             # Try to issue the cert again if something goes wrong
  63             LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 --force -w /var/www/discourse/public
  64           fi
  65
  66           LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --installcert -d $$ENV_DISCOURSE_HOSTNAME --fullchainpath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer --keypath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key --reloadcmd "sv reload nginx"
  67
  68           /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
  69
  70     - replace:
  71        filename: "/etc/nginx/conf.d/discourse.conf"
  72        from: /ssl_certificate.+/
  73        to: |
  74          ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;
  75
  76     - replace:
  77        filename: /shared/letsencrypt/account.conf
  78        from: /#?ACCOUNT_EMAIL=.+/
  79        to: |
  80          ACCOUNT_EMAIL=$$ENV_LETSENCRYPT_ACCOUNT_EMAIL
  81
  82     - replace:
  83        filename: "/etc/nginx/conf.d/discourse.conf"
  84        from: /ssl_certificate_key.+/
  85        to: |
  86          ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key;
  87
  88     - replace:
  89        filename: "/etc/nginx/conf.d/discourse.conf"
  90        from: /add_header.+/
  91        to: |
  92          add_header Strict-Transport-Security 'max-age=63072000';